On 06/15/2015 07:51 AM, Mark Ballard wrote: > Apparmor is set in complain mode, out-of-the-box, for Google Chromium. > > It has given me 8 complaints, mostly for write requests. > > It wants me to tell it what to do. But I feel more inclined to answer with a > question: WTF?! > > It wants write access to: gid_map, setgroups, uid_map, chromium has started using user namespaces. You are likely to also need 'capability
chromium has started using user namespaces and you are going to need the
following to get it to work again:
# for unprivileged user namespace sandbox (sigh)
# LP: #1447345
capability sys_admin,
capability sys_chroot,
@{PROC}/@{pid}/setgroups w,
@{PROC}/@{pid}/uid_map w,
@{PROC}/@{pid}/gid_map w,
@{PROC}/@{pid}/stat r,
This is being discussed in reference to oxide (bindings for the chromium content
api) here:
http://launchpad.net/bugs/1447345
> And read access to: stat, ptrace_scope, and tcp_fastopen
>
See above for stat. @{PROC}/sys/kernel/yama/ptrace_scope and
@{PROC}/sys/net/ipv4/tcp_fastopen are both fine.
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
